Malware Authors Taking Advantage of McAfee False Positive
Always ever ready to pounce on any major new events, the creators of rogue antivirus software are quick to seize on the latest major news event to try and push their wares on unsuspecting users. In this case the latest big news event is the false positive relating to McAfee antivirus software.
We have seen poisoned search results since the problem first surfaced. Search terms such as McAfee, 5958, or DAT are returning results that can lead to malicious and fake antivirus scan sites, resulting in the installation of malware. One such site sends the user to qpi72z.xorg.pl that in turn redirects to scanszforvir8.com. There you will find the usual fake online scanner followed by the offer of fake antivirus software (Symantec detects them as Trojan.FakeAV).
This attack by the malware creators is quite insidious since many of the people searching for information about this problem are most likely already affected by the problem and are looking for a solution using another computer, perhaps borrowed from a friend or family member. What this attack does is to introduce another problem into a situation that is already bad and shows that these miscreants have no qualms whatsoever about how they go about making a quick buck whenever and however they can. We have of course seen plenty of examples of this kind of blackhat SEO-based attack in the past using events such as the Icelandic volcano eruptions, earthquakes, and various celebrity mishaps.
Symantec customers are already protected from these attacks by way of IPS and antivirus signatures. Of course, those who are concerned about false positives will be glad to know that we have gone to great lengths to put in place systems and processes that will ensure that our definition files are of the highest quality with minimal risk of causing these hugely disruptive events.